How to debug the following CloudFormation error?
0
ConfigureRateBasedRule: CloudFormation did not receive a response from your Custom Resource. If you are using the Python cfn-response module, you may need to update your Lambda function code so that CloudFormation can attach the updated version.
AWSTemplateFormatVersion: 2010-09-09
Description: >-
(SO0006) - AWS WAF Security Automations v2.2.0: This AWS CloudFormation
template helps you provision the AWS WAF Security Automations stack without
worrying about creating and configuring the underlying AWS infrastructure.
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: Protection List
Parameters:
- SqlInjectionProtectionParam
- CrossSiteScriptingProtectionParam
- ActivateHttpFloodProtectionParam
- ActivateScannersProbesProtectionParam
- ActivateReputationListsProtectionParam
- ActivateBadBotProtectionParam
- Label:
default: Settings
Parameters:
- EndpointType
- AccessLogBucket
- Label:
default: Advanced Settings
Parameters:
- RequestThreshold
- ErrorThreshold
- WAFBlockPeriod
ParameterLabels:
SqlInjectionProtectionParam:
default: Activate SQL Injection Protection
CrossSiteScriptingProtectionParam:
default: Activate Cross-site Scripting Protection
ActivateHttpFloodProtectionParam:
default: Activate HTTP Flood Protection
ActivateScannersProbesProtectionParam:
default: Activate Scanner & Probe Protection
ActivateReputationListsProtectionParam:
default: Activate Reputation List Protection
ActivateBadBotProtectionParam:
default: Activate Bad Bot Protection
EndpointType:
default: Endpoint Type
AccessLogBucket:
default: Access Log Bucket Name
RequestThreshold:
default: Request Threshold
ErrorThreshold:
default: Error Threshold
WAFBlockPeriod:
default: WAF Block Period
Parameters:
SqlInjectionProtectionParam:
Type: String
Default: 'yes'
AllowedValues:
- 'yes'
- 'no'
Description: >-
Choose yes to enable the component designed to block common SQL injection
attacks.
CrossSiteScriptingProtectionParam:
Type: String
Default: 'yes'
AllowedValues:
- 'yes'
- 'no'
Description: Choose yes to enable the component designed to block common XSS attacks.
ActivateHttpFloodProtectionParam:
Type: String
Default: 'yes'
AllowedValues:
- 'yes'
- 'no'
Description: Choose yes to enable the component designed to block HTTP flood attacks.
ActivateScannersProbesProtectionParam:
Type: String
Default: 'yes'
AllowedValues:
- 'yes'
- 'no'
Description: Choose yes to enable the component designed to block scanners and probes.
ActivateReputationListsProtectionParam:
Type: String
Default: 'yes'
AllowedValues:
- 'yes'
- 'no'
Description: >-
Choose yes to block requests from IP addresses on third-party reputation
lists (supported lists: spamhaus, torproject, and emergingthreats).
ActivateBadBotProtectionParam:
Type: String
Default: 'yes'
AllowedValues:
- 'yes'
- 'no'
Description: >-
Choose yes to enable the component designed to block bad bots and content
scrapers.
EndpointType:
Type: String
Default: CloudFront
AllowedValues:
- CloudFront
- ALB
Description: Select the type of resource being used.
AccessLogBucket:
Type: String
Default: prod-logs-slicepay
AllowedPattern: "^[a-zA-Z0-9-_.]+$"
Description: >-
Enter a name for the Amazon S3 bucket where you want to store access logs
files. This can be the name of either an existing S3 bucket, or a new
bucket that the template will create during stack launch (if it does not
find a matching bucket name).
The solution will modify the bucket's notification configuration to
trigger the Log Parser AWS Lambda function whenever a new log file is
saved in this bucket. More about bucket name restriction here:
http://amzn.to/1p1YlU5
RequestThreshold:
Type: Number
Default: 2000
MinValue: 2000
Description: >-
If you chose yes for the Activate HTTP Flood Protection parameter, enter
the maximum acceptable requests per FIVE-minute period per IP address.
Minimum value of 2000. If you chose to deactivate this protection, ignore
this parameter.
ErrorThreshold:
Type: Number
Default: 50
MinValue: 0
Description: >-
If you chose yes for the Activate Scanners & Probes Protection parameter,
enter the maximum acceptable bad requests per minute per IP. If you chose
to deactivate Scanners & Probes protection, ignore this parameter.
WAFBlockPeriod:
Type: Number
Default: 240
MinValue: 0
Description: >-
If you chose yes for the Activate Scanners & Probes Protection parameters,
enter the period (in minutes) to block applicable IP addresses. If you
chose to deactivate this protection, ignore this parameter.
Conditions:
SqlInjectionProtectionActivated: !Equals
- !Ref SqlInjectionProtectionParam
- 'yes'
CrossSiteScriptingProtectionActivated: !Equals
- !Ref CrossSiteScriptingProtectionParam
- 'yes'
HttpFloodProtectionActivated: !Equals
- !Ref ActivateHttpFloodProtectionParam
- 'yes'
ScannersProbesProtectionActivated: !Equals
- !Ref ActivateScannersProbesProtectionParam
- 'yes'
ReputationListsProtectionActivated: !Equals
- !Ref ActivateReputationListsProtectionParam
- 'yes'
BadBotProtectionActivated: !Equals
- !Ref ActivateBadBotProtectionParam
- 'yes'
LogParserActivated: !Equals
- !Ref ActivateScannersProbesProtectionParam
- 'yes'
AlbEndpoint: !Equals
- !Ref EndpointType
- ALB
CloudFrontEndpoint: !Equals
- !Ref EndpointType
- CloudFront
Mappings:
SourceCode:
General:
S3Bucket: solutions
KeyPrefix: aws-waf-security-automations/v2.2.0
Solution:
Data:
SendAnonymousUsageData: 'Yes'
LogLevel: INFO
Resources:
AlbStack:
Type: 'AWS::CloudFormation::Stack'
Condition: AlbEndpoint
Properties:
TemplateURL: !Join
- /
- - 'https://s3.amazonaws.com'
- !Join
- '-'
- - !FindInMap
- SourceCode
- General
- S3Bucket
- !Ref 'AWS::Region'
- !FindInMap
- SourceCode
- General
- KeyPrefix
- aws-waf-security-automations-alb.template
Parameters:
SqlInjectionProtectionParam: !Ref SqlInjectionProtectionParam
CrossSiteScriptingProtectionParam: !Ref CrossSiteScriptingProtectionParam
ActivateHttpFloodProtectionParam: !Ref ActivateHttpFloodProtectionParam
ActivateScannersProbesProtectionParam: !Ref ActivateScannersProbesProtectionParam
ActivateReputationListsProtectionParam: !Ref ActivateReputationListsProtectionParam
ActivateBadBotProtectionParam: !Ref ActivateBadBotProtectionParam
AccessLogBucket: !Ref AccessLogBucket
WafApiType: waf-regional
WafArnPrefix: !Join
- ''
- - 'arn:aws:waf-regional:'
- !Ref 'AWS::Region'
- ':'
ParentStackName: !Ref 'AWS::StackName'
CloudFrontStack:
Type: 'AWS::CloudFormation::Stack'
Condition: CloudFrontEndpoint
Properties:
TemplateURL: !Join
- /
- - 'https://s3.amazonaws.com'
- !Join
- '-'
- - !FindInMap
- SourceCode
- General
- S3Bucket
- !Ref 'AWS::Region'
- !FindInMap
- SourceCode
- General
- KeyPrefix
- aws-waf-security-automations-cloudfront.template
Parameters:
SqlInjectionProtectionParam: !Ref SqlInjectionProtectionParam
CrossSiteScriptingProtectionParam: !Ref CrossSiteScriptingProtectionParam
ActivateHttpFloodProtectionParam: !Ref ActivateHttpFloodProtectionParam
ActivateScannersProbesProtectionParam: !Ref ActivateScannersProbesProtectionParam
ActivateReputationListsProtectionParam: !Ref ActivateReputationListsProtectionParam
ActivateBadBotProtectionParam: !Ref ActivateBadBotProtectionParam
AccessLogBucket: !Ref AccessLogBucket
WafApiType: waf
WafArnPrefix: 'arn:aws:waf::'
ParentStackName: !Ref 'AWS::StackName'
LambdaWAFLogParserFunction:
Type: 'AWS::Lambda::Function'
Condition: LogParserActivated
Properties:
Description: !Join
- ''
- - >-
This function parses access logs to identify suspicious behavior,
such as an abnormal amount of errors. It then blocks those IP
addresses for a customer-defined period of time. Parameters:
- !Ref ErrorThreshold
- ','
- !Ref WAFBlockPeriod
- .
Handler: log-parser.lambda_handler
Role: !If
- AlbEndpoint
- !GetAtt AlbStack.Outputs.LambdaRoleLogParserArn
- !GetAtt CloudFrontStack.Outputs.LambdaRoleLogParserArn
Code:
S3Bucket: !Join
- '-'
- - !FindInMap
- SourceCode
- General
- S3Bucket
- !Ref 'AWS::Region'
S3Key: !Join
- /
- - !FindInMap
- SourceCode
- General
- KeyPrefix
- log-parser.zip
Environment:
Variables:
OUTPUT_BUCKET: !Ref AccessLogBucket
IP_SET_ID_LIST: !If
- AlbEndpoint
- !GetAtt AlbStack.Outputs.WAFLISTSet
- !GetAtt CloudFrontStack.Outputs.WAFLISTSet
IP_SET_ID_AUTO_BLOCK: !If
- AlbEndpoint
- !GetAtt AlbStack.Outputs.WAFScannersProbesSet
- !GetAtt CloudFrontStack.Outputs.WAFScannersProbesSet
LIST_BLOCK_PERIOD: !Ref WAFBlockPeriod
ERROR_PER_MINUTE_LIMIT: !Ref ErrorThreshold
SEND_ANONYMOUS_USAGE_DATA: !FindInMap
- Solution
- Data
- SendAnonymousUsageData
UUID: !GetAtt CreateUniqueID.UUID
LIMIT_IP_ADDRESS_RANGES_PER_IP_MATCH_CONDITION: '10000'
MAX_AGE_TO_UPDATE: '30'
REGION: !Ref 'AWS::Region'
LOG_TYPE: !If
- AlbEndpoint
- alb
- cloudfront
METRIC_NAME_PREFIX: !Join
- ''
- !Split
- '-'
- !Ref 'AWS::StackName'
LOG_LEVEL: !FindInMap
- Solution
- Data
- LogLevel
STACK_NAME: !Ref 'AWS::StackName'
Runtime: python3.11
MemorySize: 512
Timeout: 300
LambdaInvokePermissionLogParser:
Type: 'AWS::Lambda::Permission'
Condition: LogParserActivated
Properties:
FunctionName: !GetAtt LambdaWAFLogParserFunction.Arn
Action: 'lambda:*'
Principal: s3.amazonaws.com
SourceAccount: !Ref 'AWS::AccountId'
LambdaWAFReputationListsParserFunction:
Type: 'AWS::Lambda::Function'
Condition: ReputationListsProtectionActivated
Properties:
Description: >-
This lambda function checks third-party IP reputation lists hourly for
new IP ranges to block. These lists include the Spamhaus Dont Route Or
Peer (DROP) and Extended Drop (EDROP) lists, Proofpoint Emerging
Threats IP list, and Tor exit node list.
Handler: reputation-lists-parser.handler
Role: !If
- AlbEndpoint
- !GetAtt AlbStack.Outputs.LambdaRoleReputationListsParserArn
- !GetAtt CloudFrontStack.Outputs.LambdaRoleReputationListsParserArn
Code:
S3Bucket: !Join
- '-'
- - !FindInMap
- SourceCode
- General
- S3Bucket
- !Ref 'AWS::Region'
S3Key: !Join
- /
- - !FindInMap
- SourceCode
- General
- KeyPrefix
- reputation-lists-parser.zip
Runtime: nodejs16.x
MemorySize: 128
Timeout: 300
Environment:
Variables:
SEND_ANONYMOUS_USAGE_DATA: !FindInMap
- Solution
- Data
- SendAnonymousUsageData
UUID: !GetAtt CreateUniqueID.UUID
METRIC_NAME_PREFIX: !Join
- ''
- !Split
- '-'
- !Ref 'AWS::StackName'
LOG_LEVEL: !FindInMap
- Solution
- Data
- LogLevel
LambdaWAFReputationListsParserEventsRule:
Type: 'AWS::Events::Rule'
Condition: ReputationListsProtectionActivated
Properties:
Description: Security Automations - WAF Reputation Lists
ScheduleExpression: rate(1 hour)
Targets:
- Arn: !GetAtt LambdaWAFReputationListsParserFunction.Arn
Id: LambdaWAFReputationListsParserFunction
Input: !Join
- ''
- - '{"lists":'
- |-
[
{"url":"https://www.spamhaus.org/drop/drop.txt"},
{"url":"https://check.torproject.org/exit-addresses", "prefix":"ExitAddress"},
{"url":"https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"}
]
- ',"apiType":"'
- !If
- AlbEndpoint
- waf-regional
- waf
- '","region":"'
- !Ref 'AWS::Region'
- '",'
- '"ipSetIds": ['
- '"'
- !If
- AlbEndpoint
- !GetAtt AlbStack.Outputs.WAFReputationListsSet
- !GetAtt CloudFrontStack.Outputs.WAFReputationListsSet
- '"'
- ']}'
LambdaInvokePermissionReputationListsParser:
Type: 'AWS::Lambda::Permission'
Condition: ReputationListsProtectionActivated
Properties:
FunctionName: !Ref LambdaWAFReputationListsParserFunction
Action: 'lambda:InvokeFunction'
Principal: events.amazonaws.com
SourceArn: !GetAtt LambdaWAFReputationListsParserEventsRule.Arn
LambdaWAFBadBotParser
Language
English
asked a month ago176 viewslg...
1 Answer
- Newest
- Most votes
- Most comments
Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.
0
Accepted Answer
Hi There
It does not look like the entire CF template has been posted in your question, however tt looks like you are deploying a very early version (2.2.0) of this solution: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/aws-cloudformation-templates.html
Can you try the latest version?
Relevant content
- Accepted Answer
asked 4 years agolg... - Accepted Answerasked 9 months agolg...
- asked 8 months agolg...
AWS OFFICIALUpdated 2 months ago- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 months ago
